Archive for the ‘Apple’ Category

Update 2: If you block the UDP 3283 port on your own management ARD system then you will not be able to see the status of machines that are not in allow range of IPs. For example a client machine is on subnet 10.0.2.0/24 and allows ARD connections to it from 10.0.1.0/24. If you are blocking the UDP port on your management machine you will not see the status of the machines on the 10.0.2 subnet. Your management machine needs to allow the udp traffic from your client machines in to it.

UPDATE: With further testing this isn’t working as expected. I’ll leave it up as a starting place and update later when I’ve got it working right.

This is a very simplified explanation of Mac Firewalls and using the PF (packet filter) to allow certain IP address to access specific services on your Mac, like SSH and Apple Remote Desktop.

A Mac has two firewall systems, the Application Firewall (ALF) and the Packet Filter firewall (PF)

ALF can be tuned on in the GUI in System Preferences > Security & Privacy or from the command line. When ALF is on connections to the Mac from outside systems are blocked by default unless an application has told ALF to allow the connection. When you turn on Remote Login this allows incoming connections to SSH, port 22. There is no GUI to limit SSH access to a particular IP range. PF is the tool needed to limit connections to a particular port from an IP range.

PF can manipulate virtually any packet data. Tools like Host files and TCP Wrappers are not effective on modern macOS systems. Using PF to allow connections from a small range of IPs to a few ports on your Mac is about like using a freight company to deliver pizza. It’s fairly complicated but can be done. PF has the ability to turn a system into a router and is a very very powerful tool. It even has the ability to limit access to your system by connecting OS type.

You will likely find other references. Also check out the GUI apps Murus and IceFloor. I find both of these tools to be overly complex for the rather simple firewall tasks I need to do. If you have more complex needs these tools are very useful and they can help you figure out how the firewall system works.

The file structure

/etc/pf.conf – this is the main rule file which can reference other files or you can load it up with all the setting you need.

/etc/pf.anchors/ – files in this directory are referenced from pf.conf. Anchor files appear to follow the naming convention of “com.companyname”.

You can put reference files anywhere in the system that PF has access to read. Your custom lists could be in /Library/Preferences//pf/. This follows Apple conventions for 3rd party additions to the system.

Simple example

This simple example will limit access to SSH and Apple Remote Desktop from a range of IP addresses. This may help you get started. Most examples I’ve found on line assume you are using PF for a server not a desktop system.

The following is the default pf.conf file with the custom additions.

#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here. In addition,
# to the anchors loaded by this file, some system services would dynamically
# insert anchors into the main ruleset. These anchors will be added only when
# the system service is used and would removed on termination of the service.
#
# See pf.conf(5) for syntax.
#
#
# com.apple anchor point
#
pflog_logfile="/var/log/pflog"
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
### START Custom Rules ###
ARD_tcp = "{ 3283 5900 5988 }"
ARD_udp = "{ 3283 }"
AllowedIn = "{ 192.168.0.0/24, 192.168.1.0/24 }"
block return in proto tcp from any to any port 22
block return in proto tcp from any to any port \$ARD_tcp
block return in proto udp from any to any port \$ARD_udp
pass in inet proto tcp from <AllowedIn> to any port 22 no state
pass in inet proto tcp from <AllowedIn> to any port \$ARD_tcp no state
pass in inet proto udp from <AllowedIn> to any port \$ARD_udp no state
### END Custom Rules ###

You may or may not know about the ditto command on OS X. Ditto will duplicate “all” data from one location to another. This includes permissions, metadata, and hidden ‘dot’ files.

Lets say I want to copy everything from /Users/username1 to /Users/username2 but the directory “username2” does not exist.

With ditto you use this command:sudo ditto /Users/username1 /Users/username2

This will create the username2 directory then copy all the contents into it. If you were to use the command with out username2 as the destination. The contents of username1 would be copied into /Users making a mess of things.

You could have created the directory username2 then copied everything into it but then you wouldn’t get the permissions transfer to the username2 directory its self.

This is the perfect option for changing a username of a user on a Mac. Once you have copied everything from one username to another you can use the regular account creation tools in System Preference to now create a user for User Name2 with the short name username2. The Mac will now ask you if you want to use the existing folder for the new users home. Just say yes and you have a new user account using the same data that was in the old one. You can now delete the old user account and recover the space.

There is significantly more you can do with ditto but that covers most of what I’ve ever needed it for.

In OS X for several years now you could right click a file of folder on the desktop and select Archive or Compress and create a .zip archive. When you do this it’s more like creating a PKZip archive and all contents of the directory, in this case, are compressed. This includes meta data and .DS_Store files and probably a few other things I don’t know about. If you use the command line ‘unzip -l file.zip’ to list the contents of a Mac compressed file you will see something like this.

Note all of the “__MACOSX” directories. If you were to use the standard unzip command to extract the .zip you will get a directory named “__MACOSX” as well as your unarchived directory. Your newly unzipped directory does not contain any meta data or hidden resource files that may be necessary for some files to function properly. So how do you resolve this issue from the command line?

ditto to the rescue
If you don’t know the ‘ditto’ command and you manage Macs you should get to know it it’s fantastic for moving files and apparently even for archiving them. Check out the man page for ditto and you will get a number of useful examples. Until recently I didn’t know you could use the command for archiving files. Here is what the man page says about compression

I recently found the need to be able to turn on SSH access for only a certain user. The idea is to have an unprivileged user enabled for SSH so that Apple Remote Desktop can have its traffic wrapped in an SSH tunnel. For details see the Apple Remote Desktop 3.2 – Administrator’s Guide page 83. Using the unprivileged user is only one small part of trying to make the system reasonably secure while still allowing you to admin the systems remotely. You still need to set firewall rules and a few other things.

At least sense 10.6.8 Apple has been using two access groups in the local LDAP to control access to the SSH service. When you first setup a system and haven’t touched the Remote Login settings there are no access control groups for SSH in /Local/Default/Groups. If you turn on SSH you will get com.apple.access_ssh. If you limit who can login to SSH those users are added to the access group by the system. To enable SSH with a single user you would thing you can create the access group and add users using dseditgroup. That would work for a fresh system but if you have ever enabled then disabled SSH you will have a com.apple.access_ssh-disabled group. Changing SSH access in the GUI is easy and the system removes and adds these groups for you and you can watch all of it happen using dscl then list the contents of /Local/Default/Groups as you make changes.

The following is my shell script remove the groups, add the right group, add a user to the to that group and turn on ssh. Maybe this will help someone.

#!/bin/sh
# script to enable a particular user of SSH of OS X systems
# Marc Kerr http://marckerr.com 5/31/13
# Use this as you like. No guarantees
USERNAME="somebody"
# Check that root is running the script otherwise nothing works
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# Disable SSH to start with regardless of if it's on.
systemsetup -setremotelogin off
# Delete all associated SSH groups to start fresh.
# Whether the groups exist or not they will be removed.
for group in com.apple.access_ssh-disabled com.apple.access_ssh
do
dseditgroup -o delete -q $group
done
# now we can create the access group and add the user(s)
dseditgroup -o create -q com.apple.access_ssh
deseditgroup -o create -q $USERNAME -t user com.apple.access_ssh
# Turn SSH back on
systemsetup -setremotelogin on
exit 0

Here is a script I’ve pieced together to create a hidden user on OS X as a Standard user then set that user with ARD privileges. Not giving the user admin privileges really doesn’t protect from an ARD hack or someone with the password to that user because the ARD agent on the client machine will run remote commands as root. It would prevent a “Screen Sharing” user from doing anything as an admin.

#!/bin/sh
# This script will let you create a hidden standard user with any short name you want
# to get a username and password prompt use Option + down arrow then Command + Return
# This script is based on several sources:
# http://support.apple.com/kb/HT5017?viewlocale=en_US
# http://apple.stackexchange.com/questions/82472/what-steps-are-needed-to-create-a-new-user-from-the-command-line-on-mountain-lio
# http://www.tonymacx86.com/mac-os-x-support/87058-guide-how-make-hidden-admin-account-mac-osx.html
# http://support.apple.com/kb/ht2370
# This standard user is given Apple Remote Desktop access.
# For interactivity use the following
# Set the variable USERNAME
echo "Enter the Username of the account you want to create."
read USERNAME
echo "Enter the Pass Phrase of the account you want to create."
# Get settings for terminal then disable echo to hide typing of the password
oldmodes=`stty -g`
stty -echo
#This will make the variable PASSWORD
read PASSWORD
#sets term back to its original settings
stty $oldmodes
# If you dont' want interactivity comment out the previous and use these commands
# USERNAME="username"
# PASSWORD="User a passphrase"
#This makes the account and puts it into the admin group
dscl . create /Users/$USERNAME
dscl . create /Users/$USERNAME UniqueID 405
dscl . create /Users/$USERNAME PrimaryGroupID 20
dscl . create /Users/$USERNAME NFSHomeDirectory /private/var/$USERNAME
dscl . create /Users/$USERNAME UserShell /bin/bash
# because we are using a passphrase the variable needs to be in quotes.
dscl . passwd /Users/$USERNAME "$PASSWORD"
### Enable ARD
# Set ARD for a specific user with specific access privileges
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-activate -configure -access -on -users $USERNAME \
-privs -DeleteFiles -TextMessages -OpenQuitApps -GenerateReports -RestartShutDown -SendFiles -ChangeSettings
# you must also set the specifiedUsers option to limit access to the individual user
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \
-configure -allowAccessFor -specifiedUsers -restart -agent -menu
# Users with a UID less than 500 will be hidden with this
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool TRUE
# This makes the account hidden
defaults write /Library/Preferences/com.apple.loginwindow HiddenUsersList -array $USERNAME
# This makes the Other in the login window dissapear
defaults write /Library/Preferences/com.apple.loginwindow SHOWOTHERUSERS_MANAGED -bool FALSE
# Create the users home directory
createhomedir -c -u $USERNAME
exit 0

Who writes this stuff? It’s obviously people who don’t really know about Mac OS X. This also doesn’t give me much confidence in their software. The little excerpt, below, is from documentation by a major company that provides a certain kind of security software for Macs in enterprise deployments.

Prepare Your MAC

Installation of daemons (services) on MAC OS X systems requires root account privileges. This means that root account should always be used when installing the Xxxx XXX Agent (names obscured to protect the potentially guilty).

You can switch to your local root account by using the command ‘su root’ in your Mac Terminal. You will be prompted to provide the password for the root account.

Provide the password for ‘root’ if you know it. If you are not certain about the password, you may want to try entering ‘toor’, which is the default password for the root account, or you may also try with the current password of your Administrator account. Both ways may work, but if the account is disabled on the system, none of the passwords would work.

If you do not know the password for the root account, or the latter is currently disabled, you can perform the following actions in order to enable the account and set a new password:

Open Terminal

Type ‘sudo passwd root’

Provide a new password

There’s like 8 things wrong with this set of instructions, OK maybe just 2, but they are so WRONG it’s painful.

‘su root’ does not work on a Mac and it should never work! Then, since when has ‘toor’ been the default password for a Mac OS X system!? Ok ok maybe it was at one point on 10.0 or some beta version but I’v not found any such evidence. (not that I did an exhaustive search).

The ‘root’ user is disabled by default, there’s no authentication method enabled for root so you can’t login as root. You can use ‘sudo’ to run commands as the root user, and look they do that to give root a password! This is incredible and it just goes on from here with more stupidity.

The short of this is you can install their software with ‘sudo’ and it works fine, at least I think it works fine but really why should I have ever had to go to the command line to install this. It really boils down to the fact their Mac people don’t know Macs. They might know Linux but not Mac OS X.

I may try to post more regularly here. I’ve got a new job doing Apple system administration etc. So I’ll be able to do more technical things than I have in the past. Less advising how to do thing and more actual doing.

I noticed a significant focus on China with the latest OS updates. With China at 1.34 billion that’s a huge market to capture. I’m going to predict that Apple will be making a major push into that market. Expect Apple to sell more devices in the Chinese market in the next few years than the rest of the world. If your company is doing most of it’s business in China then why not open offices there with native Chinese developers to create the apps needed for that market?

Next is a minor thing but the Siri focus on Baseball seems a little out of pace with the the focus on a world wide market like China. Perhaps because baseball has such a rich set of statistics it makes sense to leverage that. But the biggest sport in the world is Soccer and if Apple is moving to more of a “world” focus with it’s products then they can’t ignore Soccer and for that matter Formula One. However there are financial demographics to consider too. But if that’s the case F1 is the richest set of enthusiasts there are and Soccer simply has numbers of fans. If you think you can sell iPhones to 20¢ an hour Chinese then why not world soccer fans?

Facebook integration seems like a late starter as a major thing to add to your OS. It seems very much like something that will feel like legacy baggage in about a year. But I guess because Google has gone their own way and ignored Apple and Apple has declared war on Android then that really only leaves Facebook and Twitter. The Twitter integration seems more appropriate but Google integration would be better. At this point because of the bad relations between the two companies it’ll be up to Google to make its apps work well with Apple products. So far, in my opinion, their efforts suck even when 3rd parties want to play.

iOS seems to be getting an education focus with better controls for letting kids use iPads without worrying that the kids will play games or go surfing the web. Good Job. Now if they can fix the broken App purchasing model for institutions then we’ll be good. The Volume Purchasing Program for iOS works fine if you need lots of something but not if you need a couple of things here or there. It doesn’t even exist for OS X!

Passbook should be good. That takes a different route than the near field communication systems that use RFID tags and all the security issues there. Possibly another industry changing system. We will wait to see for sure.

The new Maps app just points out the growing riff between Apple and Google. It looks like a good app but I’m not sure Apple can do it any better than Google. Maybe they can or at least keep up. Time will tell. With this kind of competition between these two companies it spells doom, or at least niche market status, for anyone else in the GPS map hardware business. Sell your stock in Garmin now!

Got the new Apple TV. It came in a brown box, in that was a white box and in that was a black box which is the Apple TV it’s self. W00T, well OK it’s just an Apple TV but it is better than my 1st Gen Apple TV.